CVE-2020-13430 – grafana: XSS via the OpenTSDB datasource
https://notcve.org/view.php?id=CVE-2020-13430
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource. Grafana versiones anteriores a 7.0.0, permite un ataque de tipo XSS del valor de etiqueta por medio de la fuente de datos OpenTSDB. A flaw was found in grafana Tag value XSS via the OpenTSDB datasource are possible. The highest threat from this vulnerability is to data confidentiality and integrity. • https://github.com/grafana/grafana/pull/24539 https://github.com/grafana/grafana/releases/tag/v7.0.0 https://security.netapp.com/advisory/ntap-20200528-0003 https://access.redhat.com/security/cve/CVE-2020-13430 https://bugzilla.redhat.com/show_bug.cgi?id=1848108 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-12458 – grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
https://notcve.org/view.php?id=CVE-2020-12458
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords). Se encontró un fallo de divulgación de información en Grafana versiones hasta 6.7.3. El directorio de base de datos /var/lib/grafana y el archivo de base de datos /var/lib/grafana/grafana.db son de tipo world readable. • https://access.redhat.com/security/cve/CVE-2020-12458 https://bugzilla.redhat.com/show_bug.cgi?id=1827765 https://github.com/grafana/grafana/issues/8283 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A https://security.netapp.com/advisory/ntap-20200518-0001 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2020-12459 – grafana: information disclosure through world-readable grafana configuration files
https://notcve.org/view.php?id=CVE-2020-12459
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable. En determinados paquetes de Red Hat para Grafana versiones 6.x hasta 6.3.6, los archivos de configuración /etc/grafana/grafana.ini y /etc/grafana/ldap.toml (que contienen un secret_key y un bind_password) son de tipo world readable. An information-disclosure flaw was found in Grafana distributed by Red Hat. This flaw allows a local attacker access to potentially sensitive information such as secret_key and a bind_password from the world-readable files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml. • https://access.redhat.com/security/cve/CVE-2020-12459 https://bugzilla.redhat.com/show_bug.cgi?id=1829724 https://github.com/grafana/grafana/issues/8283 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A https://security.netapp.com/advisory/ntap-20200518-0004 https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160c • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2020-12052 – grafana: XSS annotation popup vulnerability
https://notcve.org/view.php?id=CVE-2020-12052
Grafana version < 6.7.3 is vulnerable for annotation popup XSS. Grafana versiones anteriores a la versión 6.7.3, es vulnerable a un ataque de tipo XSS del popup de anotaciones. A flaw was found in grafana. The software is vulnerable to an annotation popup XSS. • https://community.grafana.com/t/release-notes-v6-7-x/27119 https://security.netapp.com/advisory/ntap-20200511-0001 https://access.redhat.com/security/cve/CVE-2020-12052 https://bugzilla.redhat.com/show_bug.cgi?id=1848089 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-12245 – grafana: XSS via column.title or cellLinkTooltip
https://notcve.org/view.php?id=CVE-2020-12245
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. Grafana versiones anteriores a la versiones 6.7.3, permite un ataque de tipo XSS del panel de tabla por medio de column.title o cellLinkTooltip. A flaw was found in grafana. A XSS is possible in table-panel via column.title or cellLinkTooltip. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html https://community.grafana.com/t/release-notes-v6-7-x/27119 https://github.com/grafana/grafana/blob/master/CHANGELOG.md#673-2020-04-23 https://github.com/grafana/grafana/pull/23816 https://secu • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •